Botnets – networks of compromised computers and connected devices used as a platform for launching cyberattacks – are complex structures, making them difficult targets for law enforcement. According to Tom Grasso, supervisory special agent with the FBI’s Cyber Division, the only way to effectively dismantle a botnet operation is through cooperation with the private sector and citizens.
“I’m not going to tell you [the FBI] is the savior of the internet,” Grasso said during a briefing at the 2017 Black Hat convention in Las Vegas. “We’re not. You all are – we all are, actually, is what it comes down to.”
Grasso explained the bureau’s three-pronged approach to defeating botnets, which include neutralizing the threat actors, disabling the underlying infrastructure through active operations and mitigating the effects of malicious activity by sharing indicators of compromise across relevant sectors.
“We do more than just arrest the bad guys,” Grasso said. “The tools we have in law enforcement for identifying criminals and taking them out of action – that’s important – but there’s other things that we can do, as well.”
Neutralize
The more traditional law enforcement approach: Identify the bad guy and take them down.
“Find the people that are operating these things, take them off the playing field so they can’t continue to do the damage that they do,” Grasso said.
Mitigation
In every instance, the FBI wants to limit the amount of damage these actors and perpetrate. Most of those mitigation efforts center on sharing information with industry and relevant sectors.
“We can share intelligence with the private sector, and maybe the private sector can do mitigation and develop a technical solution,” he said.
If researchers in the private sector – whether in industry or independent – discover patches or technical solutions that make the attack vectors moot, “They’ve effectively defeated it and it’s not necessary for us to come in and do our thing from the law enforcement side.”
Technical Operation
“The last thing we can do, is kind of the sexy thing that everyone likes to talk about, which is a botnet takedown,” Grasso said. “Sometimes we can, by working with our private sector partners, do some kind of technical operation, some type of intervention where we go and take this threat away from the criminals and direct it somewhere safe, and then work on mitigation.”
The key to all of this, Grasso explained, is cooperation with the private sector.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.